Regulatory Compliance and Cloud Adoption
Today, we are talking about regulatory compliance and the Cloud.
The FCA closed its consultation on guidance for the adoption of Cloud services by financial institutions back in 2016.
Although these guidelines are specifically targeted at FS, they are worth reviewing by any organization that handles personal information - which basically means almost anyone who does business in the Cloud.
At endjin, we've been working with our clients, who have all moved some or all of their business to the cloud, to provide feedback to the FCA as part of this consultation process.
In this post, I've pulled out a few of our key observations.
- The principles are no different between on-prem, managed provider and cloud datacentres You can produce an effective compliance plan in any of these scenarios, but there is no free lunch.
- Most real-world solutions are likely to be a combination of provision models An awareness of the risks at the boundaries is essential to a successful compliance plan.
- It is not possible to get a fully isolated service from Cloud providers Standard operating procedures mean that systems may be accessed by service personnel from out-of-region, for example, and you cannot have your own isolated backbone. However...
- Cloud providers can lower your risk profile Physical security, patching, redundancy, key management and disaster recovery scenarios are often more robust than internal data centres, for example.
- Standard Cloud provider contracts are not well-tuned for FS applications Vendors are aware of this issue, and Microsoft in particular are willing to negotiate terms on a case-by-case basis to help overcome specific problems until an overall framework is agreed.
- Uncertainty around future regulatory change is a barrier to adoption A lack of clarity around the direction of future regulation, or the application of existing regulation, creates a climate of uncertainty which tends to retard any change agenda.
- Requirements for a vendor-migration plan are restrictive The lack of standardization between IaaS, PaaS and SaaS services from different vendors makes a vendor-migration plan seem challenging. This requirement needs to be addressed as a core part of the solution architecture.
These seven points are the tip of the iceberg when it comes to implementing regulatory guidelines. If you are interested in discussing any of these issues, then get in touch - we'd love to hear your perspective. It is notable that there are relatively few detailed FS cloud case studies, and we aim to do something about that with great clients like Milliman and Hymans Robertson.